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DETAILED ACTION 

1 . Claims 1-27 remain for examination. The correspondence filed 4/21/08 amended 
claims 1, 21, and 27. 

Response to Arguments 

2. Applicant's arguments filed 4/21/08 have been fully considered but they are not 
persuasive. Applicant argues, 

SecurityStats.com does not perform an Internet search, Rather, SecurityStats.com allows 
a user to enter a proposed password to assess the strength of the password 
SecurityStats corn explicitly states how the scoring works: 

How scoring works: Your password will be checked for complexity 
against the guidelines below (See Suggestions). In addition, your 
password will also be checked against a hacking dictionary containing 
commonly used passwords and keystroke combinations (italics added) 

Thus, SecurityStats.com does not disclose or suggest performing and Internet search 
that searches contents of the Internet using a search engine tool, as required by each 
independent claim, as amended. 

Examiner disagrees, by observing that Applicant's argument fails to take into 
account that the hacking dictionary disclosed by SecurityStats.com would itself qualify 
as "contents of the Internet" under the broadest reasonable definition of the term. 
Although the SecurityStats.com reference is not specific in disclosing exactly where the 
hacking dictionary is located, one of ordinary skill in the art would plausibly infer that the 
hacking dictionary would be located on the same server as the SecurityStats.com 
webpage - which is an Internet site separate and distinct from the machine that initiated 
the query, such as the P-Synch system or the claimed invention - or alternatively, the 
hacking dictionary exists on a third party location elsewhere on the Internet (for which 
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Examiner has enclosed examples of publicly accessible hacking dictionaries made 
available for the express purpose of being queried to find common passwords). Thus, 
since SecurityStats.com searches contents of the Internet [albeit, very specific contents, 
in the form of entries from hacking dictionaries], thus SecurityStats.com also qualifies as 
a "search engine" under the broadest reasonable interpretation of the term. Although 
Applicant has suggested that the search engine may comprise any of the more 
commonly known search engines such as Google or Orkut, there is no limitation in the 
claim that would limit it to such. 

To recap, Examiner maintains that (a) as P-Synch comprises the capacity to 
query other web sites as part of a password evaluation process, and (b) other web sites 
such as SecurityStats.com existed to be queried to evaluate passwords, wherein said 
query entails searching the contents of one or more hacking dictionaries located 
somewhere on the Internet in an attempt to find the potential password being queried, 
thus the combination of P-Synch and SecurityStats.com remains obvious and reads on 
the claims even as amended by Applicant. 



Claim Rejections - 35 USC § 103 

3. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

4. Claims 1 -27 are rejected under 35 U.S.C. 1 03(a) as being unpatentable over the 
P-synch version 6.2 software product, as evidenced by the "P-Synch Installation and 
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Configuration Guide" (hereinafter, "P-Synch"), in view of the web page 
"SecurityStats.com Password Strength Meter" (hereinafter, "SecurityStats.com"). 

Regarding claims 1, 21, and 27: 

P-Synch discloses a method, apparatus, and article of manufacture for 
evaluating a password proposed by a user during an enrollment process (page 21, "5.3 
Accounts on target systems") comprising: receiving said proposed password from said 
user (page 4, "3. Users select a new password..."); evaluating results from a table 
lookup relative to one or more predefined thresholds (page 4, "4. P-Synch checks the 
new password..."; cf. pages 124-126, but particularly those rules on page 126 as 
indicated); and rejecting said proposed password when said user is correlated with said 
proposed password if one ore more of said predefined thresholds are exceeded by said 
results (Ibid). With respect to claim 21 , P-synch is installed on a server (page 28, "1 . 
Prepare a P-Synch server..."), which inherently possesses memory and a processor 
coupled to said memory. 

P-Synch does not explicitly disclose performing an Internet search using a query 
containing one or more keywords derived from said proposed password. However, it is 
observed that P-synch, while already possessing a defined set of rules to measure a 
proposed password's strength, can nevertheless be extended by allowing an admin to 
add new rules via a plugin (page 127, section 10.19.1 "Adding new rules with a plugin 
program"). Furthermore, it is observed that P-Synch is essentially a web application, in 
that users interact with P-Synch via a web browser (page 6, "2.2.1 User Interfaces"; cf 
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Figure 10.3 on page 93) and P-Synch is capable of interacting with other web sites via a 
web interface (see the "HTTP apps" and "HTTPS apps" on page 20; cf. the sample 
scripts for interacting with a website on pages 327 & 328). Moreover,SecurityStats.com 
discloses a publicly available web site on the Internet that one may query to determine if 
a password is sufficiently strong (see page 1 ). Examiner takes Official Notice that the 
hacking dictionary employed by the SecurityStats.com is "contents of the Internet" for 
which the SecurityStats.com website searches [i.e. the site acts as a "search engine"] in 
order to fulfill its function. Additionally, SecurityStats.com recommends not using the 
actual proposed password but rather something similar [i.e. a keyword] to perform the 
query (page 1 , 2 nd paragraph). Thus the claim is obvious because all the claimed 
elements were known in the art, and one of ordinary skill in the art could have combined 
the elements as claimed by known methods (i.e. writing a plug-in for P-Synch to use P- 
Synch's web interface to query SecurityStats.com as a new password strength rule), 
and the combination would have yielded predictable results to one of ordinary skill in the 
art at the time of the invention. 

Regarding claims 2, 3, and 22: 

P-Synch further discloses wherein said one or more predefined correlation rules 
evaluate whether that said proposed password can be [qualitatively: the password is the 
username; quantitatively: the password is similar to the username] correlated with said 
user (page 126, as indicated). 
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Regarding claims 4, 6, 23, and 24: 

P-Synch further discloses wherein said proposed password is comprised of a 
proposed answer and a proposed hint (the user Q&A profiles on pages 83 and 199-200; 
cf.). Although P-Synch has many rules by which one can correlate a proposed 
password to known weak passwords, P-Synch does not explicitly disclose determining 
whether the proposed answer can be correlated to/obtained from the proposed hint (i.e. 
the proposed password should not be similar to any of the personal information used in 
establishing one's personal profile - see also page 6, "2.2.2 Authentication System"). 
However, P-Synch discloses that one can augment the rules by which it determines the 
strength of proposed passwords (via external plug-ins, page 126; cf. sections 10.19.1 
and 10.19.2 on pages 127-128) developed using techniques that one of ordinary skill in 
the art would have known (pages 576-584), said plug-ins allowing P-Synch to query 
additional sources for password strength rules (Ibid). Furthermore, SecurityStats.com 
teaches that it was common knowledge that various kinds of information already 
retained by P-Synch for a user's personal profile (the hints and answers), makes for 
very weak passwords (the "DONT'S" list on pages 1-3). It would have been obvious to 
one of ordinary skill in the art at the time the invention was made to develop a plug-in for 
P-Synch, in accordance with the techniques explicitly disclosed for that exact purpose, 
that would have allowed it to query the user's personal profile to see if the proposed 
answer correlates to [e.g. is an anagram of], or can be obtained from [e.g. is an exact 
match for], the password hint. All the claimed elements were known in the prior art and 
one skilled in the art could have combined the elements as claimed by the disclosed 
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methods, and the combination would have yielded predictable results to one of ordinary 
skill in the art at the time of the instant invention. 

Regarding claim 5: 

P-Synch further discloses wherein said particular relation is selected from the 
group consisting essentially of self, family member, co-author, teammate, colleague, 
neighbor, community member, or household member (pages 83, 199, & 200). 

Regarding claims 7 and 25: 

P-Synch further discloses wherein said proposed password is an identifying 
number (e.g. PIN number, e.g. page 6, "2.2.2 Authentication Systems"). 

Regarding claims 8, 1 0, 1 1 and 26: 

Although P-Synch discloses wherein said proposed password is an identifying 
number, it does not explicitly disclose rules to determine if the identifying number meets 
any of the following criteria: whether said identifying number identfies a person in a 
particular relationship to said user [claims 8 and 26], identifies a top N commercial entity 
[claim 10], or identifies said user [claim 11]. However, P-Synch maintains a database 
with each of those pieces of information: a number that identifies a person in a particular 
relationship to said user ("Family member phone number that is not your own", pages 
83 and 200), a top N 1 commercial entity (radio station dial number, Ibid), and the user 



1 For purposes of the rejection of claim 10, it is assumed that N=1 . 
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("Your SSN", Ibid). P-Synch further discloses that one can augment the rules by which 
it determines the strength of proposed passwords (via external plug-ins, page 126; cf. 
sections 10.19.1 and 10.19.2 on pages 127-128) developed using techniques that one 
of ordinary skill in the art would have known (pages 576-584), said plug-ins allowing P- 
Synch to query additional sources for password strength rules (Ibid). Furthermore, 
SecurityStats.com teaches that it was common knowledge that each piece of personal 
information known to be recorded by P-Synch makes for a very weak password (the 
"DONT'S" list on pages 1 -3). It would have been obvious to one of ordinary skill in the 
art at the time the invention was made to develop a plug-in for P-Synch, in accordance 
with the techniques explicitly disclosed for that exact purpose, that would have allowed 
it to query the user's personal profile to evaluate whether the identifying number meets 
any of the recited criteria in these claims. All the claimed elements were known in the 
prior art and one skilled in the art could have combined the elements as claimed by the 
known methods, and the combination would have yielded predictable results to one of 
ordinary skill in the art at the time of the instant invention. 

Regarding claim 9: 

P-Synch further discloses wherein said one or more pre-defined correlation rules 
evaluate whether said identifying number is a top N most commonly used identifying 
number (in the embodiment where the password is a PIN, the password history rules on 
pages 126 and 127). 
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Regarding claims 12-14: 

P-Synch further discloses wherein said identifying number is a portion of a 
telephone number, address, or social security number (pages 83 and 200). 

Regarding claim 15: 

P-Synch further discloses wherein said proposed password is a word (page 125, 
the dictionary rules). 

Regarding claim 16: 

P-Synch further discloses wherein said one or more predefined correlation rules 
evaluate whether a correlation between said word and said user exceeds a predefined 
threshold (e.g. the last two rules on page 125). 

Regarding claim 17: 

P-Synch further discloses wherein said correlation is determined by performing a 
meta-search (searching in accordance with rules found in one or more external plug-ins 
and/or the password history table, page 126). 

Regarding claim 18: 

P-Synch further discloses wherein said step of ensuring a correlation further 
comprises the step of performing a meta-search (Ibid). 
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Regarding claim 19: 

P-Synch further discloses wherein said step of ensuring a correlation further 
comprises the step of performing a local proximity evaluation (e.g. the last two rules on 
page 125, and the variants of the username on page 126). 

Regarding claim 20: 

P-Synch further discloses wherein said step of ensuring a correlation further 
comprises the step of performing a number classification (the digits rules: page 125). 

Conclusion 

5. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: 

• "SecurityFocus Presentation: Online commonly used password database" 
teaches that there existed a long felt need to have a publicly accessible common 
password database on the Internet that could be queried by anyone so as to 
determine if a password were weak (i.e. susceptible to being cracked), thus 
further suggesting the combination of P-Synch and SecurityStats.com above 

• "Openwall Project" discloses the existence of a public hacking dictionary that 
appears to be similar to the hacking dictionary disclosed by SecurityStats.com, 
and which Examiner cites as supporting evidence for the Official Notice, as per 
MPEP 2144.03 
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• Excerpts from the Openwall password list (last updated 12/2/98), and a password 

list from www.phenoelit-us.org 
6. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Thomas Gyorfi whose telephone number is (571)272- 
3849. The examiner can normally be reached on 8:30am - 5:00pm Monday - Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

TAG 
5/23/08 
/KIMYEN VU/ 

Supervisory Patent Examiner, Art Unit 2135 



